[jira] [Commented] (DIRMINA-1182) Is there any plan to fix the dependent vulnerabilities of Spring Framework 2.5.6.SEC03?

Thu, 24 Oct 2024 20:03:46 -0700 


    [ 
https://issues.apache.org/jira/browse/DIRMINA-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17892626#comment-17892626
 ] 

Emmanuel Lécharny commented on DIRMINA-1182:
--------------------------------------------

Ok, thanks to [~keyboarddesirstroyer] PR, I was able to push a new version of 
Spring in 2.1.X branch (for the moment).

A few things:
- It need to be pushed to 2.0.X and 2.2.X branches too
- I wasn't able to use Spring v6, because it requires Java 17, so I used 
version 5
- {{mina-example}} module still use version 2, but it's not critical, because 
it's not going to be integrated in any project

> Is there any plan to fix the dependent vulnerabilities of Spring Framework 
> 2.5.6.SEC03?
> ---------------------------------------------------------------------------------------
>
>                 Key: DIRMINA-1182
>                 URL: https://issues.apache.org/jira/browse/DIRMINA-1182
>             Project: MINA
>          Issue Type: Wish
>    Affects Versions: 2.2.3, 2.1.8
>            Reporter: Yuanhua Han
>            Priority: Major
>         Attachments: image-2024-10-08-22-47-47-371.png, 
> image-2024-10-08-22-49-52-441.png, image-2024-10-08-22-54-11-235.png
>
>
> Hello, we found that Apache MINA 2.2.3 and 2.1.8 both depends on spring 
> 2.5.6.SEC03(corresponding to Spring Framework software),  which is a very old 
> version (released on Sep 09, 2011) and has been EOL and also can not find 
> source code package.
> It seems that spring 2.5.6.SEC03 have some vulnerabilities(this artifact was 
> moved to spring-core and spring-core 2.5.6.SEC03 have vulnerabilities).
> [https://mvnrepository.com/artifact/org.springframework/spring]
> !image-2024-10-08-22-47-47-371.png!
> [https://mvnrepository.com/artifact/org.springframework/spring-core/2.5.6.SEC03]
> !image-2024-10-08-22-54-11-235.png!
> Does these vulnerability affect Apache MINA? If yes, can I ask if there are 
> any plans of Apache MINA community to adapt to the new version of Spring 
> Framework to fix these vulnerabilities? 
> Thanks.
> The detailed dependencies are as follows:
> mina-integration-xbean 2.2.3/2.1.8 ---> spring 2.5.6.SEC03
> mina-example 2.2.3/2.1.8 ---> spring 2.5.6.SEC03



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

Reply via email to